cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
10
Replies
Highlighted
Beginner

ISR 1100 - FlexVPN with Anyconnect

Dear Friends!

Staying on quarantine I decide to prepare and configure small LAB and test FlexVPN where I have 2xISR1100 and my PC with AnyConnect. I want to test Remote Access based on Ikev2 and authentication based on ONLY certificate. I configured all but it still not working. Can anybody say what is wrong ? Below is my topology, configuration, debug and xml anyconnect profile:

 

(192.168.10.2) PC ------> (192.168.10.1) R1 (150.10.0.1) ----------> (150.10.0.2) R2 (Looback1 10.10.10.1)

 

I also have Windows Server as CA Server, and communication via SCEP is working good, router can download CA cert and enroll to CA Server - my PC also have root CA and cert imported to MMC store (user and machine)

 

R2#sh run
Building configuration...


Current configuration : 8198 bytes
!
! Last configuration change at 06:41:54 UTC Sat Apr 4 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R2
!
boot-start-marker
boot system flash bootflash:c1100-universalk9_ias.16.09.05.SPA.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login AUTHZ local
aaa authorization network AUTHZ local
!
!
!
!
!
!
aaa session-id common
!
ip domain name cisco.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint CA
enrollment mode ra
enrollment url http://192.168.10.3:80/certsrv/mscep/mscep.dll
revocation-check crl
rsakeypair R2.cisco.com
!
!
crypto pki certificate chain CA
certificate 4800000005ED0E780533BB5FCF000000000005
30820428 30820310 A0030201 02021348 00000005 ED0E7805 33BB5FCF 00000000
0005300D 06092A86 4886F70D 01010B05 00304F31 13301106 0A099226 8993F22C
64011916 03636F6D 31183016 060A0992 268993F2 2C640119 16086F72 69666C61
6D65311E 301C0603 55040313 154F7269 666C616D 6520526F 6F742043 41204765
6E32301E 170D3230 30343033 32303232 32375A17 0D323130 34303332 30333232
375A3020 311E301C 06092A86 4886F70D 01090213 0F52322E 6F726966 6C616D65
2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181
00AD3A91 AB6DC8C6 ADCA707E E4F5CCEB 5CC33E26 62C19D63 C88668DE 720E81D8
B2D8065D 9A292F92 96DE9F77 98B3EAE5 0F55CE0E F0D607EE 32CB330D CB4D1027
23C727EB D1A8D107 0D3D5F99 53D45D52 472AD8F9 D2B0362B A586DC84 7C5AFB61
770A753F B95E9370 EFBB0FC3 49BC10B3 6CEAF16C 3297E156 6856A859 EFCADBB3
C3020301 0001A382 01AE3082 01AA300B 0603551D 0F040403 0205A030 1D060355
1D0E0416 04148110 E9E57166 DDE14D84 290663C8 8535151E 1878301F 0603551D
23041830 168014E5 7B74C082 27DC407A 1309EB10 CB051038 71037830 61060355
1D1F045A 30583056 A054A052 86506669 6C653A2F 2F2F2F57 494E2D38 354C4835
46553134 4C442E6F 7269666C 616D652E 636F6D2F 43657274 456E726F 6C6C2F4F
7269666C 616D6525 3230526F 6F742532 30434125 32304765 6E322E63 726C3081
8906082B 06010505 07010104 7D307B30 7906082B 06010505 07300286 6D66696C
653A2F2F 2F2F5749 4E2D3835 4C483546 5531344C 442E6F72 69666C61 6D652E63
6F6D2F43 65727445 6E726F6C 6C2F5749 4E2D3835 4C483546 5531344C 442E6F72
69666C61 6D652E63 6F6D5F4F 7269666C 616D6525 3230526F 6F742532 30434125
32304765 6E322E63 7274301D 0603551D 110101FF 04133011 820F5232 2E6F7269
666C616D 652E636F 6D303F06 092B0601 04018237 14020432 1E300049 00500053
00450043 0049006E 00740065 0072006D 00650064 00690061 00740065 004F0066
0066006C 0069006E 0065300C 0603551D 130101FF 04023000 300D0609 2A864886
F70D0101 0B050003 82010100 26173B0A 676A680D 79CB56E5 BE0DE4DF B4745B2C
2D0A175A FDA62E6D 24FB9A18 56D7C97E B4D59C6B 148CC8A3 522A3546 6C487A57
1F47DCDD 2DC4508E 94517875 9E68292A 69AB3C18 1D9A7C52 B2A423F9 65DE9B4D
948699C1 5DF12EA4 0D901D04 DB85215C 96DBEDB6 ECF45546 CCD48568 4EB3A334
CEB30EC7 0C40FDF4 5235DF68 4C26440E 0E0DF71D 60C90382 87500BF4 4D5A5692
32994B65 4163AADA 39099EC9 BE149DE8 3BB0891A 67DE57B0 31E91DAE 67BEDC3E
B810BEEA 5EFC6F36 F667663F 9136DE66 8C9C1F80 4F6D3BCD 28E87FF5 7480C087
6C04BB9D 5C490976 DFE7F80A E9852E93 C264BEC9 D5D1230C FE433AFF 29D9E23B
75045E87 A8CB5F22 87C3E356
quit
certificate ca 28869BD6399B38994F2558D03A4B2E71
30820379 30820261 A0030201 02021028 869BD639 9B38994F 2558D03A 4B2E7130
0D06092A 864886F7 0D01010B 0500304F 31133011 060A0992 268993F2 2C640119
1603636F 6D311830 16060A09 92268993 F22C6401 1916086F 7269666C 616D6531
1E301C06 03550403 13154F72 69666C61 6D652052 6F6F7420 43412047 656E3230
1E170D32 30303430 33313934 3032365A 170D3235 30343033 31393530 32365A30
4F311330 11060A09 92268993 F22C6401 19160363 6F6D3118 3016060A 09922689
93F22C64 01191608 6F726966 6C616D65 311E301C 06035504 0313154F 7269666C
616D6520 526F6F74 20434120 47656E32 30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101 00A0FCE5 13890259 FDF020C1 A5FF99B5
C66CC9D6 54C83075 22B0E009 FCEBB174 EC73A741 6A3B451F C647DD04 A81F4AEA
35603435 8E4AD825 1C482D00 F3956D16 FC59DCD6 0D8FAF3D 8E5410AC DAD49FF3
906EDA26 8D0FC8E1 D7FADE06 31204202 8F5A1A20 2AF3EBC4 CE755B27 84322E5B
FBA577DF 74EA3389 27BE8F63 8397D27C B1A9C263 EF44FA40 BC5D50A7 6A607703
4E9337DD 4E9C7422 DECC5EE6 EBFD5FDA 7469B597 FA469982 D55BF5AF 5C7AB7C3
013EE918 2FFBBFB4 3C450FB2 0AFF1F0F 0CE12211 D5428BE3 6DDFF649 B4E2F540
393216D4 B1C5CB52 1A1134DF 51C0BD82 B90153CA CF15994A FFB8709D 080030AC
B01A9724 98EB49F9 8AA658F3 9CCA3D7C F9020301 0001A351 304F300B 0603551D
0F040403 02018630 0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04
160414E5 7B74C082 27DC407A 1309EB10 CB051038 71037830 1006092B 06010401
82371501 04030201 00300D06 092A8648 86F70D01 010B0500 03820101 0056A197
3DA2BF07 56D36111 7FECF34D 39999DE7 82616666 3A322748 494255A2 07717764
F7E08111 E8BAD6B8 B0E1EF48 E0DCC51B BF1E21DD 52E0F6BF 75A8A9E7 13F3AC2B
199E2C4B 73C6C65C E07763E8 C4ACCF09 131022BD 985762EF 33F95A6E A8415BA7
A0331866 D1F4FED3 250B90B2 DA007112 89D287FA 289DBFDD D36CEFCB A48439B8
07A5CC48 07B4FCEC 177CFBF2 038FBAA0 55585AB3 260A89A4 1F6E6ABB FC6996BA
04ED590E 22EB09E0 8C5FFA87 8321FA8A 21E97527 BF1C2930 F76C7E3B CE8DF7D4
612D7F9C 6BEBE9C1 3007B2C1 C33C005D A2A96379 E904BE20 47544450 5126648C
94A742C9 572E6167 61020F68 C0C3717C F8B71E58 58BDF6D4 923324CB 8E
quit
!
license udi pid C1111-8PLTEEA sn FGL23021333
license accept end user agreement
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$QuGQ$AUxpKsbFNSIEErVB1BSte1
!
redundancy
mode none
!
crypto ikev2 authorization policy V2AUTHZPOLICY
pool MyPOOL
dns 8.8.8.8
netmask 255.255.255.0
def-domain cisco.com
route set access-list SPLIT-ACL
!
crypto ikev2 proposal V2PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 14 15 19
!
crypto ikev2 policy V2Policy
proposal V2PROPOSAL
!
!
crypto ikev2 profile V2Profile
match identity remote fqdn domain cisco.com
match identity remote key-id *$AnyConnectClient$*
identity local fqdn R2.cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
aaa authorization group cert list AUTHZ V2AUTHZPOLICY
aaa authorization group anyconnect-eap list AUTHZ V2AUTHZPOLICY
virtual-template 1
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile V2IPSEC
set transform-set V2TS
set ikev2-profile V2Profile
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 10.10.10.1 255.255.255.255
!
interface GigabitEthernet0/0/0
ip address 150.10.0.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Cellular0/2/0
no ip address
shutdown
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile V2IPSEC
!
interface Vlan1
no ip address
!
ip local pool MyPOOL 192.168.50.1 192.168.50.15
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 192.168.10.0 255.255.255.0 150.10.0.1
!
!
ip access-list standard SPLIT-ACL
permit 10.10.10.1
!
!
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
speed 115200
line vty 0 4
!
ntp server 192.168.10.3 prefer
!
!
!
!
!
end

 

Output from AnyConnect: The certificate on the secure gateway is invalid. A VPN connection will not be established

Debug from router:

*Apr 4 08:07:37.901: IKEv2:Received Packet [From 192.168.10.2:56017/To 150.10.0.2:500/VRF i0:f0]
Initiator SPI : 81B3AED1780B9876 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)

*Apr 4 08:07:37.902: IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
*Apr 4 08:07:37.902: IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
*Apr 4 08:07:37.902: IKEv2:Searching Policy with fvrf 0, local address 150.10.0.2
*Apr 4 08:07:37.902: IKEv2:Found Policy 'V2Policy'
*Apr 4 08:07:37.902: IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
*Apr 4 08:07:37.904: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):: The peer's KE payload contained the wrong DH group
*Apr 4 08:07:37.904: IKEv2:(SESSION ID = 25,SA ID = 1):Sending invalid ke notification, peer sent group 1, local policy prefers group 19

*Apr 4 08:07:37.904: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 192.168.10.2:56017/From 150.10.0.2:500/VRF i0:f0]
Initiator SPI : 81B3AED1780B9876 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)

*Apr 4 08:07:37.904: IKEv2:(SESSION ID = 25,SA ID = 1):Failed SA init exchange
*Apr 4 08:07:37.905: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Initial exchange failed: Initial exchange failed
*Apr 4 08:07:37.905: IKEv2:(SESSION ID = 25,SA ID = 1):Abort exchange
*Apr 4 08:07:37.905: IKEv2:(SESSION ID = 25,SA ID = 1):Deleting SA

*Apr 4 08:07:37.908: IKEv2:Received Packet [From 192.168.10.2:56017/To 150.10.0.2:500/VRF i0:f0]
Initiator SPI : 81B3AED1780B9876 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)

*Apr 4 08:07:37.909: IKEv2:(SESSION ID = 26,SA ID = 1):Verify SA init message
*Apr 4 08:07:37.909: IKEv2:(SESSION ID = 26,SA ID = 1):Insert SA
*Apr 4 08:07:37.909: IKEv2:Searching Policy with fvrf 0, local address 150.10.0.2
*Apr 4 08:07:37.909: IKEv2:Found Policy 'V2Policy'
*Apr 4 08:07:37.909: IKEv2:(SESSION ID = 26,SA ID = 1):Processing IKE_SA_INIT message
*Apr 4 08:07:37.910: IKEv2:(SESSION ID = 26,SA ID = 1):Received valid config mode data
*Apr 4 08:07:37.910: IKEv2:Config data recieved:
*Apr 4 08:07:37.910: IKEv2:(SESSION ID = 26,SA ID = 1):Config-type: Config-request
*Apr 4 08:07:37.910: IKEv2:(SESSION ID = 26,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Apr 4 08:07:37.910: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Apr 4 08:07:37.910: IKEv2:(SESSION ID = 26,SA ID = 1):Set received config mode data
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'CA'
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Apr 4 08:07:37.911: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Apr 4 08:07:37.911: IKEv2:(SESSION ID = 26,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 4 08:07:37.913: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 4 08:07:37.913: IKEv2:(SESSION ID = 26,SA ID = 1):Request queued for computation of DH key
*Apr 4 08:07:37.913: IKEv2:(SESSION ID = 26,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 4 08:07:37.918: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 4 08:07:37.918: IKEv2:(SESSION ID = 26,SA ID = 1):Request queued for computation of DH secret
*Apr 4 08:07:37.918: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 4 08:07:37.918: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 4 08:07:37.918: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Apr 4 08:07:37.919: IKEv2:(SESSION ID = 26,SA ID = 1):Generating IKE_SA_INIT message
*Apr 4 08:07:37.919: IKEv2:(SESSION ID = 26,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_256_ECP/Group 19
*Apr 4 08:07:37.919: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 4 08:07:37.919: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'CA'
*Apr 4 08:07:37.919: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 4 08:07:37.919: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Apr 4 08:07:37.919: IKEv2:(SESSION ID = 26,SA ID = 1):Sending Packet [To 192.168.10.2:56017/From 150.10.0.2:500/VRF i0:f0]
Initiator SPI : 81B3AED1780B9876 - Responder SPI : 19C19766B1494F77 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Apr 4 08:07:37.921: IKEv2:(SESSION ID = 26,SA ID = 1):Completed SA init exchange
*Apr 4 08:07:37.921: IKEv2:(SESSION ID = 26,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Apr 4 08:08:07.920: IKEv2-ERROR:(SESSION ID = 26,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Apr 4 08:08:07.920: IKEv2:(SESSION ID = 26,SA ID = 1):Auth exchange failed
*Apr 4 08:08:07.920: IKEv2-ERROR:(SESSION ID = 26,SA ID = 1):: Auth exchange failed
*Apr 4 08:08:07.921: IKEv2:(SESSION ID = 26,SA ID = 1):Abort exchange
*Apr 4 08:08:07.921: IKEv2:(SESSION ID = 26,SA ID = 1):Deleting SA
*Apr 4 08:08:07.922: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Apr 4 08:08:07.922: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

 

XML AnyConnectProfile:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>R2</HostName>
<HostAddress>150.10.0.2</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

 

Maybe some one have working configuration ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

I resolved the problem. Certificate was generated incorrectly.

View solution in original post

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

I forgot paste working configuration, maybe it will be useful to someone someday

 

hostname R2

!

!

aaa new-model

!

!

aaa authorization network AUTHZ local

!

!

!

aaa session-id common

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

ip domain name cisco.com

!

!

crypto pki trustpoint CA

enrollment terminal

revocation-check none

rsakeypair R2.cisco.com

!

!

!

license udi pid C1111-8PLTEEA sn FGL23021333

license accept end user agreement

license boot level appxk9

license boot level securityk9

no license smart enable

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

!

username admin privilege 15 secret 5 $1$QuGQ$AUxpKsbFNSIEErVB1BSte1

!

redundancy

mode none

!

crypto ikev2 authorization policy V2AUTHZPOLICY

 pool MyPOOL

dns 8.8.8.8

netmask 255.255.255.0

def-domain cisco.com

route set access-list SPLIT-ACL

!

crypto ikev2 proposal V2PROPOSAL

 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256

group 14 15 19

!

crypto ikev2 policy V2Policy

 proposal V2PROPOSAL

!

!

crypto ikev2 profile V2Profile

match identity remote fqdn domain cisco.com

identity local fqdn R2.cisco.com

authentication remote rsa-sig

authentication local rsa-sig

pki trustpoint CA

aaa authorization group cert list AUTHZ V2AUTHZPOLICY

virtual-template 1

!

no crypto ikev2 http-url cert

!

!

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

 mode tunnel

!

crypto ipsec profile V2IPSEC

set transform-set V2TS

 set ikev2-profile V2Profile

!

!

interface Loopback1

ip address 10.10.10.1 255.255.255.255

!

interface GigabitEthernet0/0/0

ip address 172.16.0.2 255.255.255.252

negotiation auto

!

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0/0

ip mtu 1400

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile V2IPSEC

!

interface Vlan1

no ip address

!

ip local pool MyPOOL 192.168.50.1 192.168.50.15

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 192.168.10.0 255.255.255.0 172.16.0.1

!

!

ip access-list standard SPLIT-ACL

permit 10.10.10.1

!

!

control-plane

!

!

line con 0

transport input none

stopbits 1

speed 115200

line vty 0 4

!

ntp server 192.168.10.1

!

!

end

 

This configuration working based on certificate authentication.

View solution in original post

10 REPLIES 10
Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

One additional question: What is Anyconnect-EAP ? 

I know what is EAP-TLS, EAP-MD5, EAP-MSCHAPv2, EAP-FAST etc.. but EAP-Anyconnect ? I can't find any answer which help me to understand that

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ISR 1100 - FlexVPN with Anyconnect

Hi,

Try disabling CRL check on your trustpoint

 

crypto pki trustpoint CA
 revocation-check none

 

Also you may need to modify your AnyConnectLocalPolicy.xml in order to bypass downloader.

The "BypassDownloader" option should be set to "true", for example:

<BypassDownloader>true</BypassDownloader>

 

HTH

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

In which section I should add <BypassDownloader>true</BypassDownloader> ?

I have VPN Profile Editor, could you show me ? I can't find it

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ISR 1100 - FlexVPN with Anyconnect

The AnyConnectLocalPolicy.xml is modified using the "AnyConnect Profile Editor - VPN Local Policy", this is separate application to the usual VPN Editor application.

 

1.PNG

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

Ok, I see that I have already checked but it is still not working :(

Highlighted
VIP Advisor VIP Advisor
VIP Advisor

Re: ISR 1100 - FlexVPN with Anyconnect

Try specifying "identity local dn" on the IKEv2 Profile instead of using fqdn.
Define glboally "no crypto ikev2 http-url cert"
Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

Still the same error:

R2(config)#
*Apr 4 12:39:04.327: IKEv2-ERROR:(SESSION ID = 34,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Apr 4 12:39:04.328: IKEv2:(SESSION ID = 34,SA ID = 1):Auth exchange failed
*Apr 4 12:39:04.328: IKEv2-ERROR:(SESSION ID = 34,SA ID = 1):: Auth exchange failed
*Apr 4 12:39:04.329: IKEv2:(SESSION ID = 34,SA ID = 1):Abort exchange
*Apr 4 12:39:04.329: IKEv2:(SESSION ID = 34,SA ID = 1):Deleting SA
*Apr 4 12:39:04.329: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Apr 4 12:39:04.329: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Apr 4 12:39:19.205: IKEv2-ERROR:(SESSION ID = 36,SA ID = 2):: Failed to receive the AUTH msg before the timer expired
*Apr 4 12:39:19.205: IKEv2:(SESSION ID = 36,SA ID = 2):Auth exchange failed
*Apr 4 12:39:19.205: IKEv2-ERROR:(SESSION ID = 36,SA ID = 2):: Auth exchange failed
*Apr 4 12:39:19.207: IKEv2:(SESSION ID = 36,SA ID = 2):Abort exchange
*Apr 4 12:39:19.207: IKEv2:(SESSION ID = 36,SA ID = 2):Deleting SA
*Apr 4 12:39:19.207: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session
*Apr 4 12:39:19.207: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

I resolved the problem. Certificate was generated incorrectly.

View solution in original post

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

Only one question, what is Anyconnect-EAP ?

Highlighted
Beginner

Re: ISR 1100 - FlexVPN with Anyconnect

I forgot paste working configuration, maybe it will be useful to someone someday

 

hostname R2

!

!

aaa new-model

!

!

aaa authorization network AUTHZ local

!

!

!

aaa session-id common

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

ip domain name cisco.com

!

!

crypto pki trustpoint CA

enrollment terminal

revocation-check none

rsakeypair R2.cisco.com

!

!

!

license udi pid C1111-8PLTEEA sn FGL23021333

license accept end user agreement

license boot level appxk9

license boot level securityk9

no license smart enable

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

!

username admin privilege 15 secret 5 $1$QuGQ$AUxpKsbFNSIEErVB1BSte1

!

redundancy

mode none

!

crypto ikev2 authorization policy V2AUTHZPOLICY

 pool MyPOOL

dns 8.8.8.8

netmask 255.255.255.0

def-domain cisco.com

route set access-list SPLIT-ACL

!

crypto ikev2 proposal V2PROPOSAL

 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256

group 14 15 19

!

crypto ikev2 policy V2Policy

 proposal V2PROPOSAL

!

!

crypto ikev2 profile V2Profile

match identity remote fqdn domain cisco.com

identity local fqdn R2.cisco.com

authentication remote rsa-sig

authentication local rsa-sig

pki trustpoint CA

aaa authorization group cert list AUTHZ V2AUTHZPOLICY

virtual-template 1

!

no crypto ikev2 http-url cert

!

!

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

 mode tunnel

!

crypto ipsec profile V2IPSEC

set transform-set V2TS

 set ikev2-profile V2Profile

!

!

interface Loopback1

ip address 10.10.10.1 255.255.255.255

!

interface GigabitEthernet0/0/0

ip address 172.16.0.2 255.255.255.252

negotiation auto

!

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0/0

ip mtu 1400

tunnel source GigabitEthernet0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile V2IPSEC

!

interface Vlan1

no ip address

!

ip local pool MyPOOL 192.168.50.1 192.168.50.15

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 192.168.10.0 255.255.255.0 172.16.0.1

!

!

ip access-list standard SPLIT-ACL

permit 10.10.10.1

!

!

control-plane

!

!

line con 0

transport input none

stopbits 1

speed 115200

line vty 0 4

!

ntp server 192.168.10.1

!

!

end

 

This configuration working based on certificate authentication.

View solution in original post